Europe takes lead on e-sigs

Just because agencies and corporations in the United States can legally

apply electronic signatures to online transactions does not mean they have

the technical ability to prevent fraudulent use of those signatures.

European countries, which face the same situation, have taken the lead

in developing a common standard for electronic signatures, and the European

Union is finalizing technical standards from which the U.S. government might

learn.

The standard defines two levels of security or "assurance" that organizations

might apply to electronic signatures, depending on the sensitivity of the

transaction. Under the 1999 directive, the European Union laid out two levels

of security:

* Basic electronic signatures that can be used for the minimum level

of transactions where the participants simply want to ensure that the people

at the other end can verify their identities.

* Qualified certificates, in which the electronic signature is only

one part of the authentication and authorization information stored on the

certificate.

Defining such levels of assurance is key to electronic commerce, European

officials say.

Ideally, an electronic signature should be voided if someone intercepts

and tampers with an electronic transaction. But without electronic signature

standards, an organization receiving an electronically signed transaction

cannot be 100 percent confident that the other party has taken adequate

measures to protect that transaction.

Without a reasonable minimum level of assurance, electronic transactions

will not gain the necessary trust and confidence for widespread use, and

electronic signatures will be abandoned before they have a chance to be

proven, said Frank Jorissen, deputy vice president of international operations

at Utimaco Safeware Group in Belgium and a member of the European Electronic

Signature Standardization Initiative Steering Group.

The European Commission created the European Electronic Signature Standardization

Initiative (EESSI) following the EU's December 1999 directive detailing

the need for a legal validity of electronic signatures based on technical

standards.

But neither U.S. law nor the EU directive considers the technical standards

that would support the legal validity.

The EESSI Steering Group has contacted other organizations that have

begun to wrestle with this problem, such as the Internet Engineering Task

Force (IETF), the World Wide Web Consortium (W3C) and the American Bar

Association. But these organizations' efforts are, "at this stage, not necessarily

sufficient," according to statements from the steering group.

The problem with differentiating among the many security levels now

available through electronic signatures is the same one that agencies and

businesses in the United States are facing.

Those who use services that require electronic signatures must trade

off between having strong security that will be complex, take up bandwidth

and take users longer to connect and making an application user-friendly

and less secure, Jorissen said, speaking last month at the Information Security

Solutions Europe conference in Barcelona, Spain.

"What we have now is security, but it is not secured," he said.

The EESSI's technical group, under the European Telecommunication Standards

Institute, has developed a draft of the technical requirements for qualified

certificates, the comment period for which closed last week.

The draft is still based on international common certificate standards

such as X.509, which is used by security providers such as RSA Security

Inc., Entrust Technologies and Baltimore Technologies, and emulates what

the IETF and W3C have done to determine how the extra authorization information

should be attached to the certificate.

Using open standards like this is important, said Stefan Santesson,

chief technology officer at AddTrust in Sweden and a member of both the

EESSI technical task force and the IETF. It will allow the EU-qualified

certificate to be much like the "quality stamp" on a physical identification,

like a passport, that can be accepted by businesses and agencies anywhere

around the world to mean a certain level of security assurance, he said.